SlideShare a Scribd company logo

Mulin Holstein PKI-strategy

F
fEngel
Technology
1 of 24
Download to read offline
 Developing your corporate PKI Strategy  Gil Mulin, Airbus  Julien Holstein, Aerospace Vision on behalf of Airbus
May 2010 Page 2 Prologue With cyber security as one of the top priorities of the President, the federal government has initiated a significant overhaul of its information security standards, guidance, and risk management activities. The National Institute of Standards and Technology (NIST) in partnership with the Department of Defense and the Intelligence Community, is developing a unified information security and risk management framework for federal agencies and their support contractors including those organizations in the A&D industries. Many state and local governments as well as private sector entities are adopting the security standards and guidelines on a voluntary basis. Applying information security best practices and effectively managing risk associated with the operation and use of information systems will help ensure that the operations, assets, and individuals within the United States critical infrastructure are well protected against an increasingly sophisticated and dangerous set of cyber threats. Dr. Ronald Ross, Project Lead for FISMA Implementation Project, National Institute of Standards and Technology (NIST)
May 2010 Page 3 Agenda Introduction A reminder Companies’ needs Possible implementations Conclusion 1 3 4 2 5
May 2010 Page 4 1 - Introduction  Information security is a key topic in the industry Deals with confidentiality, integrity (and non repudiation) and availability of data Data digital security is widely handled with digital certificates Aeronautical actors have to implement information security all over their activities In domains where aircrafts are impacted In all their other domains (finance, strategy, HR, technical design…) DSWG sets the standard concerning the usage of digital certificates around the aircrafts  Impact various contributors (manufacturers, system providers, airlines, airports…)  Defines processes and technical requirements around digital certificates in order to provide a good level of trust
May 2010 Page 5 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
May 2010 Page 6  What are digital certificates ? Digital certificates are the digital keys which allow to encrypt data (protect the confidentiality) and to digitally sign data (provide assurance on integrity, identity and non repudiation). They are provided by Certificates Authorities (CA) 2 - Reminders Mr Blue signs a document with his certificate And send it to Mr Green Mr Green recognizes Mr Blue signature This provides assurance on : •The identity of the sender •The integrity of the data since it has been signed •The fact the message has been sent (non repudiation) Mr Blue encrypt a document for Mr green And send it to Mr Green Mr Green decrypt the document with his certificate This provides assurance on : •The confidentiality of the data
May 2010 Page 7  What is a Public Key Infrastructure (PKI) ? A PKI is the addition of physical Information System means (servers, specialized software,…) and processes in order to manage digital certificates lifecycle (certificates generation, revocation, renewal, user registration, revocation lists managements, public information publication, trust anchor…) It is important to notice that a PKI is split in 20% of technology and 80% of processes and management 2 - Reminders PKI publication of public information and trust anchor
May 2010 Page 8  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others 2 - Reminders PKI publication of public information and trust anchor Company B PKI publication of public information and trust anchor Company A
May 2010 Page 9  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others 2 - Reminders PKI publication of public information and trust anchor Company B PKI publication of public information and trust anchor Company A Cross certification bridge
May 2010 Page 10  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others A cross certification bridge requires a Trust anchor. A Trust anchor is the foundation upon which the trust chain rests. A trust anchor is an unequivocal authority, usually governmental. For example , in the case of Certipath (jointly owned by ARINC,SITA and Exostar) the trust anchor is the U.S Federal PKI Authority. The trust anchor determines the criteria for cross-certification as well as the governance regime. 2 - Reminders
May 2010 Page 11  What collaboration WITHOUT a cross certification bridge looks like 2 - Reminders
May 2010 Page 12 2 - Reminders  What collaboration WITH a cross certification bridge looks like PKI Bridge
May 2010 Page 13 2 - Reminders  Trust fabric CertiPath Bridge CA (CBCA) Federal Bridge CA (FBCA) Boeing CA CertiPath Root CA (CBCA) Exostar FIS CA (Subordinate) ARINC CA (Subordinate) Lockheed Martin CA Federal Shared Service Provider CAs (Subordinate) Raytheon CA Northrop Grumman CA Exostar CA SITA CA Federal Agency CAs CertiPath Operational Authority (OA) Federal Agency CAs Federal Agency CAs Federal Agency CAs Federal Shared Service Provider CAs (Subordinate) Cross-Cert Cross-Cert Cross-Cert Subordinates (SSP) Subordinates (SSP) EADS CA
May 2010 Page 14 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
May 2010 Page 15  Aeronautical functional needs Loadable software parts code signing FAA form 8130-3 and EASA form1 digital signature XML crate digital signature ACARS messages encryption Industrial “ground” functional needs Encryption of sensitive data (files, e-mails, laptops hard drive) Digital signature of files and e-mails “Qualified” digital signature Strong authentication 3 – Companies’ needs
May 2010 Page 16  Interoperability Maybe I will have to digitally sign a piece of software which will be loaded in an aircraft? (DSWG guidelines) Maybe I will have to digitally sign some official documents (DSWG-spec 2000 guidelines)? Maybe I will have to implement an “Extended Enterprise” business model which is going to require identity federation? (the foundation of which should rely on PKI) Practical Operations Minimal variation Fit within existing responsibilities Predictable Re-usable Economy Minimum new investment as operations evolve 3 – Companies’ needs
May 2010 Page 17 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
May 2010 Page 18 What are your choices in terms of use? To consolidate on as few digital certificates as possible, all issued from a single PKI or to use different digital certificates for each activity, possibly issued by different PKI What are your choices in terms of implementation? You can choose to buy your certificates Why would you choose to buy your certificates? You have a choice of providers You can choose to implement your own PKI You will need external expertise to provide specialist knowledge Why would you choose to implement your own PKI? Why would you want to have certificates that are cross-certified? 4 - Possible implementation
May 2010 Page 19 What are your drivers? Cost (implementing your own PKI is very expensive) Economies of scale Availability of resources Management focus Strategy : do you want to wait for regulation to enforce you or do you want to or to anticipate the best you can? Why would you wait for regulation? Why would you anticipate? In either case (make or buy) it is fundamental that the company has processes in place that provide a unique identity for each employee together with the respective vetting actions which the law of the country allows. ( for example is should be based on FIPS 201 /HSPD 12 in the US ) There are certain roles that have to be created e.g. the Registration Authorities. These RAs register the future subscriber. There are also the Trusted Agents. They are responsible for issuing the certificates and therefore for ensuring the binding of the identity of the subscriber to the certificate itself 4 - Possible implementation
May 2010 Page 20 4 - Possible implementation Federal Bridge (FBCA) Raytheon The Boeing Company Citibank Northrop Grumman Lockheed Martin Cybertrust Entrust Exostar ORC Treasury VeriSign USPTO NASAGPODOJDOS Other Federal Agency Sponsored DoD Sponsored DoD Other Federal Agency Commercial State Government Shared Service Provider DHS EADS SITA Exostar CertiPath Root ORC VeriSign IdentTrust DoD ECA Root 1 DoD iRoot UK CCEB RootDoD Root 2 DoD Root 1 DoD Subordinate CA’s UK MOD CCEB Root Common Policy Root CertiPath Bridge ORC VeriSign IdentTrust DoD ECA Root 2 USPS DEA CSOS GSA ACES IdentTrust GSA ACES VeriSign DOEDOE
May 2010 Page 21 Epilogue With cyber security as one of the top priorities of the President, the federal government has initiated a significant overhaul of its information security standards, guidance, and risk management activities. The National Institute of Standards and Technology (NIST) in partnership with the Department of Defense and the Intelligence Community, is developing a unified information security and risk management framework for federal agencies and their support contractors including those organizations in the A&D industries. Many state and local governments as well as private sector entities are adopting the security standards and guidelines on a voluntary basis. Applying information security best practices and effectively managing risk associated with the operation and use of information systems will help ensure that the operations, assets, and individuals within the United States critical infrastructure are well protected against an increasingly sophisticated and dangerous set of cyber threats. Dr. Ronald Ross, Project Lead for FISMA Implementation Project, National Institute of Standards and Technology (NIST)
May 2010 Page 22 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
May 2010 Page 23 What do I need to implement? Should I make or should I buy? In order to help you in front of those two questions, we advise you have a clear vision on your immediate and midterm needs through several axis : Identity and non repudiation, integrity and confidentiality needs Regulated needs versus “free” corporate needs Pure internal needs versus shared needs with partners/customers/suppliers Strategy of my company towards the Extended Enterprise model The interoperability you expect between all these needs The agility you expect your solution to have 5 - Conclusion
May 2010 Page 24 Any questions? Gil Mulin, Airbus gil.mulin@airbus.com Julien Holstein, Aerospace Vision on behalf of Airbus julien.holstein@aerospace-vision.com 5 - Conclusion

Recommended

Investor Presentation
Investor PresentationInvestor Presentation
Investor PresentationCompany Spotlight
 
Investor presentation2013
Investor presentation2013Investor presentation2013
Investor presentation2013Company Spotlight
 
The Future of Identity - OpenID Summit 2020
The Future of Identity - OpenID Summit 2020The Future of Identity - OpenID Summit 2020
The Future of Identity - OpenID Summit 2020OpenID Foundation Japan
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Blockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsBlockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Riskssmithjgdc
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 

Recommended

Investor Presentation
Investor PresentationInvestor Presentation
Investor PresentationCompany Spotlight
 
Investor presentation2013
Investor presentation2013Investor presentation2013
Investor presentation2013Company Spotlight
 
The Future of Identity - OpenID Summit 2020
The Future of Identity - OpenID Summit 2020The Future of Identity - OpenID Summit 2020
The Future of Identity - OpenID Summit 2020OpenID Foundation Japan
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
Blockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsBlockchain Decentralized Identifier (DID) Innovation Insights from Patents
Blockchain Decentralized Identifier (DID) Innovation Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Riskssmithjgdc
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud PrivacyAct-On Software
 
Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU OpenID Foundation Japan
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
All's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareAll's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareNationalUnderwriter
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
BeingSign blockchain-based online signing system|Introduction
BeingSign blockchain-based online signing system|IntroductionBeingSign blockchain-based online signing system|Introduction
BeingSign blockchain-based online signing system|IntroductionBeingSign|區塊鏈線上簽署系統
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
Legal Extranet
Legal ExtranetLegal Extranet
Legal ExtranetAlasdair Kilgour
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Aladdin Dandis
 
What is Blockchain and How Can It Change the Game for Financial Institutions?
What is Blockchain and How Can It Change the Game for Financial Institutions?What is Blockchain and How Can It Change the Game for Financial Institutions?
What is Blockchain and How Can It Change the Game for Financial Institutions?Colleen Beck-Domanico
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
PKI IN Government Identity Management Systems
PKI IN Government Identity Management SystemsPKI IN Government Identity Management Systems
PKI IN Government Identity Management SystemsArab Federation for Digital Economy
 
Feedback on Non Personal Data Governance Framework
Feedback on Non Personal Data Governance FrameworkFeedback on Non Personal Data Governance Framework
Feedback on Non Personal Data Governance FrameworkNanda Mohan Shenoy
 
Wk White Paper
Wk White PaperWk White Paper
Wk White PaperCreus Moreira Carlos
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in GovernmentFIDO Alliance
 
Dss investor presentation
Dss investor presentationDss investor presentation
Dss investor presentationCompany Spotlight
 

More Related Content

What's hot

Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
All's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareAll's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareNationalUnderwriter
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Ulf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 
Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Aladdin Dandis
 
What is Blockchain and How Can It Change the Game for Financial Institutions?
What is Blockchain and How Can It Change the Game for Financial Institutions?What is Blockchain and How Can It Change the Game for Financial Institutions?
What is Blockchain and How Can It Change the Game for Financial Institutions?Colleen Beck-Domanico
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
 
Feedback on Non Personal Data Governance Framework
Feedback on Non Personal Data Governance FrameworkFeedback on Non Personal Data Governance Framework
Feedback on Non Personal Data Governance FrameworkNanda Mohan Shenoy
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Ted Myerson
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudUlf Mattsson
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 

What's hot (20)

Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
 
Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
All's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareAll's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber Warfare
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
BeingSign blockchain-based online signing system|Introduction
BeingSign blockchain-based online signing system|IntroductionBeingSign blockchain-based online signing system|Introduction
BeingSign blockchain-based online signing system|Introduction
 
Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...Jul 16 isaca london data protection, security and privacy risks - on premis...
Jul 16 isaca london data protection, security and privacy risks - on premis...
 
Legal Extranet
Legal ExtranetLegal Extranet
Legal Extranet
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 
Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0Building trust attributes in e transactions (final) ver 3.0
Building trust attributes in e transactions (final) ver 3.0
 
What is Blockchain and How Can It Change the Game for Financial Institutions?
What is Blockchain and How Can It Change the Game for Financial Institutions?What is Blockchain and How Can It Change the Game for Financial Institutions?
What is Blockchain and How Can It Change the Game for Financial Institutions?
 
What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019What I learned at the Infosecurity ISACA North America Conference 2019
What I learned at the Infosecurity ISACA North America Conference 2019
 
PKI IN Government Identity Management Systems
PKI IN Government Identity Management SystemsPKI IN Government Identity Management Systems
PKI IN Government Identity Management Systems
 
Feedback on Non Personal Data Governance Framework
Feedback on Non Personal Data Governance FrameworkFeedback on Non Personal Data Governance Framework
Feedback on Non Personal Data Governance Framework
 
Wk White Paper
Wk White PaperWk White Paper
Wk White Paper
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloud
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 

Similar to Mulin Holstein PKI-strategy

Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in GovernmentFIDO Alliance
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deckRichard (Dick) Kaufman
 
Sarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP ProcessSarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP ProcessCXT Group
 
Global Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong AuthenticationGlobal Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 
Frost Entrust Datacard-award-write-up-final
Frost Entrust Datacard-award-write-up-finalFrost Entrust Datacard-award-write-up-final
Frost Entrust Datacard-award-write-up-finalWendy Murphy
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO AllianceFIDO Alliance
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak PreventionTanvir Hashmi
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firmsRobert Westmacott
 

Similar to Mulin Holstein PKI-strategy (20)

Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in Government
 
Dss investor presentation
Dss investor presentationDss investor presentation
Dss investor presentation
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
Sarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP ProcessSarbanes-Oxley Compliance and the RFI/RFP Process
Sarbanes-Oxley Compliance and the RFI/RFP Process
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
 
Global Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong AuthenticationGlobal Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong Authentication
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanian
 
The relevance of Digital content in SOX compliance
The relevance of Digital content in SOX complianceThe relevance of Digital content in SOX compliance
The relevance of Digital content in SOX compliance
 
Final Project
Final ProjectFinal Project
Final Project
 
Frost Entrust Datacard-award-write-up-final
Frost Entrust Datacard-award-write-up-finalFrost Entrust Datacard-award-write-up-final
Frost Entrust Datacard-award-write-up-final
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak Prevention
 
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDXapidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
apidays New York 2023 - CATTS out of the bag, Jean-Paul LaClair, FDX
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
DSS - Investor Presentation
DSS - Investor PresentationDSS - Investor Presentation
DSS - Investor Presentation
 
Cyber security basics for law firms
Cyber security basics for law firmsCyber security basics for law firms
Cyber security basics for law firms
 

Recently uploaded

Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Mulin Holstein PKI-strategy

  • 1.  Developing your corporate PKI Strategy  Gil Mulin, Airbus  Julien Holstein, Aerospace Vision on behalf of Airbus
  • 2. May 2010 Page 2 Prologue With cyber security as one of the top priorities of the President, the federal government has initiated a significant overhaul of its information security standards, guidance, and risk management activities. The National Institute of Standards and Technology (NIST) in partnership with the Department of Defense and the Intelligence Community, is developing a unified information security and risk management framework for federal agencies and their support contractors including those organizations in the A&D industries. Many state and local governments as well as private sector entities are adopting the security standards and guidelines on a voluntary basis. Applying information security best practices and effectively managing risk associated with the operation and use of information systems will help ensure that the operations, assets, and individuals within the United States critical infrastructure are well protected against an increasingly sophisticated and dangerous set of cyber threats. Dr. Ronald Ross, Project Lead for FISMA Implementation Project, National Institute of Standards and Technology (NIST)
  • 3. May 2010 Page 3 Agenda Introduction A reminder Companies’ needs Possible implementations Conclusion 1 3 4 2 5
  • 4. May 2010 Page 4 1 - Introduction  Information security is a key topic in the industry Deals with confidentiality, integrity (and non repudiation) and availability of data Data digital security is widely handled with digital certificates Aeronautical actors have to implement information security all over their activities In domains where aircrafts are impacted In all their other domains (finance, strategy, HR, technical design…) DSWG sets the standard concerning the usage of digital certificates around the aircrafts  Impact various contributors (manufacturers, system providers, airlines, airports…)  Defines processes and technical requirements around digital certificates in order to provide a good level of trust
  • 5. May 2010 Page 5 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  • 6. May 2010 Page 6  What are digital certificates ? Digital certificates are the digital keys which allow to encrypt data (protect the confidentiality) and to digitally sign data (provide assurance on integrity, identity and non repudiation). They are provided by Certificates Authorities (CA) 2 - Reminders Mr Blue signs a document with his certificate And send it to Mr Green Mr Green recognizes Mr Blue signature This provides assurance on : •The identity of the sender •The integrity of the data since it has been signed •The fact the message has been sent (non repudiation) Mr Blue encrypt a document for Mr green And send it to Mr Green Mr Green decrypt the document with his certificate This provides assurance on : •The confidentiality of the data
  • 7. May 2010 Page 7  What is a Public Key Infrastructure (PKI) ? A PKI is the addition of physical Information System means (servers, specialized software,…) and processes in order to manage digital certificates lifecycle (certificates generation, revocation, renewal, user registration, revocation lists managements, public information publication, trust anchor…) It is important to notice that a PKI is split in 20% of technology and 80% of processes and management 2 - Reminders PKI publication of public information and trust anchor
  • 8. May 2010 Page 8  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others 2 - Reminders PKI publication of public information and trust anchor Company B PKI publication of public information and trust anchor Company A
  • 9. May 2010 Page 9  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others 2 - Reminders PKI publication of public information and trust anchor Company B PKI publication of public information and trust anchor Company A Cross certification bridge
  • 10. May 2010 Page 10  What is a cross certification bridge ? A cross certification bridge is a set of rules PKI can fulfill to enlarge their circle of trust. All the PKI cross certified toward the same bridge trust and are trusted by all the others A cross certification bridge requires a Trust anchor. A Trust anchor is the foundation upon which the trust chain rests. A trust anchor is an unequivocal authority, usually governmental. For example , in the case of Certipath (jointly owned by ARINC,SITA and Exostar) the trust anchor is the U.S Federal PKI Authority. The trust anchor determines the criteria for cross-certification as well as the governance regime. 2 - Reminders
  • 11. May 2010 Page 11  What collaboration WITHOUT a cross certification bridge looks like 2 - Reminders
  • 12. May 2010 Page 12 2 - Reminders  What collaboration WITH a cross certification bridge looks like PKI Bridge
  • 13. May 2010 Page 13 2 - Reminders  Trust fabric CertiPath Bridge CA (CBCA) Federal Bridge CA (FBCA) Boeing CA CertiPath Root CA (CBCA) Exostar FIS CA (Subordinate) ARINC CA (Subordinate) Lockheed Martin CA Federal Shared Service Provider CAs (Subordinate) Raytheon CA Northrop Grumman CA Exostar CA SITA CA Federal Agency CAs CertiPath Operational Authority (OA) Federal Agency CAs Federal Agency CAs Federal Agency CAs Federal Shared Service Provider CAs (Subordinate) Cross-Cert Cross-Cert Cross-Cert Subordinates (SSP) Subordinates (SSP) EADS CA
  • 14. May 2010 Page 14 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  • 15. May 2010 Page 15  Aeronautical functional needs Loadable software parts code signing FAA form 8130-3 and EASA form1 digital signature XML crate digital signature ACARS messages encryption Industrial “ground” functional needs Encryption of sensitive data (files, e-mails, laptops hard drive) Digital signature of files and e-mails “Qualified” digital signature Strong authentication 3 – Companies’ needs
  • 16. May 2010 Page 16  Interoperability Maybe I will have to digitally sign a piece of software which will be loaded in an aircraft? (DSWG guidelines) Maybe I will have to digitally sign some official documents (DSWG-spec 2000 guidelines)? Maybe I will have to implement an “Extended Enterprise” business model which is going to require identity federation? (the foundation of which should rely on PKI) Practical Operations Minimal variation Fit within existing responsibilities Predictable Re-usable Economy Minimum new investment as operations evolve 3 – Companies’ needs
  • 17. May 2010 Page 17 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  • 18. May 2010 Page 18 What are your choices in terms of use? To consolidate on as few digital certificates as possible, all issued from a single PKI or to use different digital certificates for each activity, possibly issued by different PKI What are your choices in terms of implementation? You can choose to buy your certificates Why would you choose to buy your certificates? You have a choice of providers You can choose to implement your own PKI You will need external expertise to provide specialist knowledge Why would you choose to implement your own PKI? Why would you want to have certificates that are cross-certified? 4 - Possible implementation
  • 19. May 2010 Page 19 What are your drivers? Cost (implementing your own PKI is very expensive) Economies of scale Availability of resources Management focus Strategy : do you want to wait for regulation to enforce you or do you want to or to anticipate the best you can? Why would you wait for regulation? Why would you anticipate? In either case (make or buy) it is fundamental that the company has processes in place that provide a unique identity for each employee together with the respective vetting actions which the law of the country allows. ( for example is should be based on FIPS 201 /HSPD 12 in the US ) There are certain roles that have to be created e.g. the Registration Authorities. These RAs register the future subscriber. There are also the Trusted Agents. They are responsible for issuing the certificates and therefore for ensuring the binding of the identity of the subscriber to the certificate itself 4 - Possible implementation
  • 20. May 2010 Page 20 4 - Possible implementation Federal Bridge (FBCA) Raytheon The Boeing Company Citibank Northrop Grumman Lockheed Martin Cybertrust Entrust Exostar ORC Treasury VeriSign USPTO NASAGPODOJDOS Other Federal Agency Sponsored DoD Sponsored DoD Other Federal Agency Commercial State Government Shared Service Provider DHS EADS SITA Exostar CertiPath Root ORC VeriSign IdentTrust DoD ECA Root 1 DoD iRoot UK CCEB RootDoD Root 2 DoD Root 1 DoD Subordinate CA’s UK MOD CCEB Root Common Policy Root CertiPath Bridge ORC VeriSign IdentTrust DoD ECA Root 2 USPS DEA CSOS GSA ACES IdentTrust GSA ACES VeriSign DOEDOE
  • 21. May 2010 Page 21 Epilogue With cyber security as one of the top priorities of the President, the federal government has initiated a significant overhaul of its information security standards, guidance, and risk management activities. The National Institute of Standards and Technology (NIST) in partnership with the Department of Defense and the Intelligence Community, is developing a unified information security and risk management framework for federal agencies and their support contractors including those organizations in the A&D industries. Many state and local governments as well as private sector entities are adopting the security standards and guidelines on a voluntary basis. Applying information security best practices and effectively managing risk associated with the operation and use of information systems will help ensure that the operations, assets, and individuals within the United States critical infrastructure are well protected against an increasingly sophisticated and dangerous set of cyber threats. Dr. Ronald Ross, Project Lead for FISMA Implementation Project, National Institute of Standards and Technology (NIST)
  • 22. May 2010 Page 22 Agenda Introduction Reminders Companies’ needs Possible implementation Conclusion 1 3 4 2 5
  • 23. May 2010 Page 23 What do I need to implement? Should I make or should I buy? In order to help you in front of those two questions, we advise you have a clear vision on your immediate and midterm needs through several axis : Identity and non repudiation, integrity and confidentiality needs Regulated needs versus “free” corporate needs Pure internal needs versus shared needs with partners/customers/suppliers Strategy of my company towards the Extended Enterprise model The interoperability you expect between all these needs The agility you expect your solution to have 5 - Conclusion
  • 24. May 2010 Page 24 Any questions? Gil Mulin, Airbus gil.mulin@airbus.com Julien Holstein, Aerospace Vision on behalf of Airbus julien.holstein@aerospace-vision.com 5 - Conclusion